search

tarachandverma / nginx-openidc

Nginx module for openid-connect relying party, SSO and JWT authentication
MIT License
76 stars 10 forks source link

[error] 22960#22960: *37 too big subrequest response: Nginx with OIDC module #13

Open praveentmh opened 5 years ago

praveentmh commented 5 years ago

Hello, We are getting this error while nginx oidc-config.xml model using for SSO:

Error: 2019/02/28 16:12:52 [error] 22960#22960: *37 too big subrequest response: 7663 while sending to client, client: xx.xx.xxx.xx, server: , request: "GET /oauth2/callback?code=asassdAddaCCSDAcsASqa3dA5SC&state=asdfhwakefcAA4ksdklvsd7ajsjHAw HTTP/1.1", subrequest: "/internal/oauth2/token", upstream: "http://yy.yyy.yyy.yyy:8080/internal/oauth2/token", host: "zz.zzz.zzz.zzz:8787"

below find the configuration:

File Name : /etc/nginx/conf.d/load-balancer.conf

############################################################### upstream backend { ip_hash; server yy.yyy.yyy.yyy:8080; }

server { listen 8787;

proxy_buffering on; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k;

location / { fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; proxy_pass http://backend; } } ##############################################################

File Name : /etc/nginx/nginx.conf

############################################################## user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf;

events { worker_connections 1024; }

http { include mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/.conf; include /etc/nginx/sites-enabled/;

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

OPENIDC_HomeDir                        /usr/local/nginx/conf;
OPENIDC_LogFile                        oidc-refresh.log;
OPENIDC_SharedMemory  file=/config.shm size=61000;
OPENIDC_PassPhrase                     secret123;
OPENIDC_HeaderPrefix                   X-REMOTE-;
#OPENIDC_RefreshWaitSeconds                             20;
OPENIDC_ConfigFile                     oidc-config.xml;

server { listen 8787; server_name zz.zzz.zzz.zzz:8787;

    proxy_buffering on;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;

    # authorization code flow - exchanging authorization code to id_token(JWT)
    location /internal/oauth2/token {
           internal;
           https://www.googleapis.com/oauth2/v4/token;
    }
}

gzip on;

} ##########################################################################################

File Name : /etc/nginx/oidc-config.xml

##########################################################################################

nginx oidc demo http://yy.yyy.yyy.yyy:8080/oauth2/callback https://login.microsoftonline.com/97gig98ihh99-898-988/v2.0 
                     <action id="oidc-login" type="login">
                <description>oidc login</description>
                    <base64UrlEncodeState>true</base64UrlEncodeState>
                <uri><![CDATA[https://accounts.google.com/o/oauth2/v2/auth?response_type=code&scope=email+openid&client_id=example_dev&redirect_uri=http://ngx-oidc-demo.com/oauth2/callback]]></uri>
           </action>
            <action id="oidc-callback" type="callback">
                <description>oidc login</description>
                <isForward>true</isForward>
                    <oidcProvider>Example</oidcProvider>
                    <relyingParty>demo-client</relyingParty>
                <uri>/internal/oauth2/token</uri><!-- upstream proxy to google token endpoint -->
            </action>
            <action id="oidc-login-strip-invalid-token"><!-- strip id_token from outgoig request -->
                <description>oidc login</description>
                    <base64UrlEncodeState>true</base64UrlEncodeState>
                <uri><![CDATA[https://login.microsoftonline.com/906aefe9-76a7-4f65-b82d-5ec20775d5aa/oauth2/v2.0/authorize?response_type=code&scope=email+openid+profile&client_id=example_dev&redirect_uri=http://yy.yyy.yyy.yyy:8080/oauth2/callback]]></uri>
            </action>

#########################################################################################################################

request for help...

tarachandverma commented 5 years ago

I will take a look shortly and let you know.